Warning on inline-save AJAX

[bor0]

Our servers reported the following warning:

Undefined array key "_status"

After digging deeper, I found that we're assuming this is always going to be set here: ​https://github.com/WordPress/WordPress/blob/d4d9284/wp-admin/includes/ajax-actions.php#L2118

To reproduce, you can either use curl and populate all the necessary information (auth token, nonce, etc.), but I found an easier way:

$ wp shell
wp> wp_set_current_user( 1 )
wp> require_once ABSPATH . 'wp-admin/includes/ajax-actions.php';
wp> $_POST = []; // Note: We will intentionally omit '_status' to trigger the warning
wp> $_POST['action'] = 'inline-save'
wp> $_POST['post_ID'] = current( get_posts() )->ID
wp> $_POST['post_type'] = 'post'
wp> $_POST['_inline_edit'] = wp_create_nonce( 'inlineeditnonce' )
wp> $_POST['screen'] = 'edit-post'
wp> $_POST['post_view'] = 'list'
wp> $_REQUEST = $_POST // need this for referer check function
wp> wp_ajax_inline_save();
PHP Warning:  Undefined array key "_status" in /opt/homebrew/var/www/wp-admin/includes/ajax-actions.php on line 2118
Warning: Undefined array key "_status" in /opt/homebrew/var/www/wp-admin/includes/ajax-actions.php on line 2118
...

[bor0]

@SergeyBiryukov would appreciate your 👀

[jorbin]

How would an end user encounter this issue? This feels like something that is coming from a plugin trying to use the core endpoint and doing so incorrectly or from a plugin removing a field from quick edit which both seem like things that should be fixed by the plugin causing the issue.

[bor0]

I don't think an end-user can encounter it, but looking at that file, all $data references have a corresponding isset/! empty check, so I thought being more defensive made sense.

[SergeyBiryukov]

In 60639:

Quick/Bulk Edit: Check if post status is set in wp_ajax_inline_save().

This aims to avoid a PHP warning if the status value is missing in the request.

Follow-up to [8951], [9083].

Props bor0, jorbin, SergeyBiryukov.
Fixes #63622.